[Openvpn-devel] man: Improve token based authentication

Message ID 20180404121357.2126-1-davids@openvpn.net
State New
Headers show
Series
  • [Openvpn-devel] man: Improve token based authentication
Related show

Commit Message

David Sommerseth April 4, 2018, 12:13 p.m.
Be more explicit that --auth-gen-token is to be considered a workaround
for authentication scripts/plug-ins not supporting --auth-token.

Also be more explicit that invalidated --auth-token values will result
in the client disconnecting.

Signed-off-by: David Sommerseth <davids@openvpn.net>
---
 doc/openvpn.8 | 32 ++++++++++++++++++++++++++++----
 1 file changed, 28 insertions(+), 4 deletions(-)

Comments

Selva Nair April 4, 2018, 2:24 p.m. | #1
Hi,

On Wed, Apr 4, 2018 at 8:13 AM, David Sommerseth <davids@openvpn.net> wrote:
> Be more explicit that --auth-gen-token is to be considered a workaround
> for authentication scripts/plug-ins not supporting --auth-token.
>
> Also be more explicit that invalidated --auth-token values will result
> in the client disconnecting.
>
> Signed-off-by: David Sommerseth <davids@openvpn.net>

IMO, this is just muddying up waters further. To the user its still not
clear when does the token get invalidated and in which of those cases
is the client left in a lurch. The token gets invalidated on (i) token
expiry (a broken feature) or (ii) server restart. The client can
recover from the latter as it will get an auth-failed, but the former
causes a disconnection from server's perspective but client gets no
notice. So saying that "will result in the client disconnecting" is
not helpful.

A better quick fix would be to just remove token expiry feature from
the code until a proper implementation can be devised.

Selva

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
David Sommerseth April 4, 2018, 3:07 p.m. | #2
On 04/04/18 16:24, Selva Nair wrote:
> Hi,
> 
> On Wed, Apr 4, 2018 at 8:13 AM, David Sommerseth <davids@openvpn.net> wrote:
>> Be more explicit that --auth-gen-token is to be considered a workaround
>> for authentication scripts/plug-ins not supporting --auth-token.
>>
>> Also be more explicit that invalidated --auth-token values will result
>> in the client disconnecting.
>>
>> Signed-off-by: David Sommerseth <davids@openvpn.net>
> 
> IMO, this is just muddying up waters further. To the user its still not
> clear when does the token get invalidated and in which of those cases
> is the client left in a lurch. The token gets invalidated on (i) token
> expiry (a broken feature) or (ii) server restart. The client can
> recover from the latter as it will get an auth-failed, but the former
> causes a disconnection from server's perspective but client gets no
> notice. So saying that "will result in the client disconnecting" is
> not helpful.
> 
> A better quick fix would be to just remove token expiry feature from
> the code until a proper implementation can be devised.

The intention to this patch is actually not directly tied to the fixes needed
to the --auth-gen-token handling at all.  This is just to clarify the current
behaviour.

In addition, it became clearer to me that the --auth-gen-token might be
perceived as a "one-stop-fix" for authentication plug-ins/scripts not
supporting auth-tokens.

Further, the token expiry is an opt-in feature.  It is something the
authentication script/plug-in need to handle, or explicitly enabled with
--auth-gen-token by providing an expiry timeout.

Arne and I have discussed his patch today, and agreed upon a path forward of
fixing these issues as well and ensure that both OpenVPN 2 in client mode and
OpenVPN 3 based clients all behave in a similar way.  This does also not rule
out that we might need to fix OpenVPN 3 as well.  But consistent behaviour
across versions with a reasonably good user experience is the core goal.  We
just need to take this carefully, step by step.

Patch

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 4114f408..b6de2c9c 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -3671,10 +3671,25 @@  argument defines how long the generated token is valid.  The
 lifetime is defined in seconds.  If lifetime is not set
 or it is set to 0, the token will never expire.
 
-This feature is useful for environments which is configured
-to use One Time Passwords (OTP) as part of the user/password
-authentications and that authentication mechanism does not
-implement any auth\-token support.
+.B PLEASE NOTE:
+The
+.B \-\-auth\-gen\-token
+feature is to be considered a workaround for authentication
+scripts or plug\-ins not providing proper
+.B auth\-token
+support.  The
+.B auth\-token
+feature is most commonly needed when deploying two factor
+authentications, such as One Time Password (OTP) based
+authentication.  Proper authentication scripts/plug\-ins should
+implement support for generating, sending and verifying
+.B auth\-token
+values sent to successfully authenticated clients, and particularly
+when OTP authentication is required.
+
+See also
+.B \-\-auth\-token
+for more details.
 .\"*********************************************************
 .TP
 .B \-\-opt\-verify
@@ -5291,6 +5306,15 @@  OPENVPN_PLUGIN_CLIENT_CONNECT_V2 calls.  This option provides
 a possibility to replace the clients password with an authentication
 token during the lifetime of the OpenVPN client.
 
+.B BEWARE:
+Clients which has received an
+.B auth\-token
+will be using this value as the password on each renegotiation and
+reconnection to the server until it stops running.  If the server
+has invalidated the
+.B auth\-token
+since the last authentication, the client will be disconnected.
+
 Whenever the connection is renegotiated and the
 .B \-\-auth\-user\-pass\-verify
 script or